Yahoo's recent 10-Q filing with the U.S. Securities and Exchange Commission included new information about the company's massive data breach, including connections to a 2014 network intrusion by a presumed nation-state attacker.

The Yahoo data breach, which was officially disclosed in September, exposed private information of at least 500 million user accounts, including names, email addresses, telephone numbers, dates of birth, and hashed passwords, as well as encrypted or unencrypted security questions and answers. In its initial statement about the breach, Yahoo claimed a network intrusion in late 2014, by what the company believed to be a state-sponsored actor, was what led to the breach.

Yahoo's 10-Q filing provided additional details about the 2014 network intrusion. Specifically, the filing states that Yahoo broadened the scope of its initial security investigation to determine "the scope of knowledge within the Company in 2014 and thereafter regarding this access." Yahoo acknowledged that at least some employees knew about the 2014 attack when it occurred two years ago, but the company hasn't yet disclosed who those individuals are, what they knew and when they knew it.

The SEC filing also included information about how a threat actor, believed to be the same nation-state attacker responsible for the 2014 incident, created counterfeit browser cookies that bypassed Yahoo's authentication systems. The revelations led security experts to further criticize Yahoo's security practices and response to the data breach.

What does the SEC filing say about the Yahoo data breach? How serious are the revelations about cookie abuse by a state-sponsored attacker? How could the incident affect Verizon's proposed acquisition of Yahoo? In this episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more on the topic of the Yahoo breach.

How serious are the new revelations about the Yahoo breach, specifically the information about browser cookie abuse?

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.